capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard

Published 20 hours ago verified publisher icon mandiant

reconsider att&ck classification for get/set-uefi-variable.yml

Open mike-hunhoff opened this issue 4 months ago • 0 comments

We should reconsider the att&ck classification for https://github.com/mandiant/capa-rules/blob/64b174e50253cbd506df40e7728531b801636a56/host-interaction/bootloader/get-uefi-variable.yml#L11 and https://github.com/mandiant/capa-rules/blob/64b174e50253cbd506df40e7728531b801636a56/host-interaction/bootloader/set-uefi-variable.yml#L11.

Without additional indicators, I'm not sure that we can draw the conclusion that getting/setting UEFI variables results in boot persistence.

mike-hunhoff avatar Oct 07 '24 22:10 mike-hunhoff